Headline
CVE-2020-36625: Fix WebSocket upgrade CSRF vulnerability by 11k · Pull Request #35 · destinygg/chat
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
For WebSocket upgrade requests, gorilla/websocket calls CheckOrigin to determine if the upgrade should be performed. The function should "carefully validate the request origin to prevent cross-site request forgery".
The current implementation immediately returns true, essentially performing no check. If undefined, a “safe default” is used, which only upgrades the request if the host component of the Origin header matches the Host header.
This PR removes the current implementation so the default is used.